French agency caught minting SSL certificates impersonating Google

Unauthorized credentials for Google sites were accepted by many browsers.

Rekindling concerns about the system millions of websites use to encrypt and authenticate sensitive data, Google caught a French governmental agency spoofing digital certificates for several Google domains.

The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. Firefox developer Mozilla and Microsoft, developer of Internet Explorer have followedsuit. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.

An intermediate certificate authority is a crucial link in the "chain of trust" that's key in connections protected by SSL and its successor protocol, known as transport layer security (TLS). Because intermediate certificates are signed by a root certificate embedded in the browser, they have the ability to mint an unlimited number of digital certificates for virtually any site. The individual certificates will be accepted by default by most browsers. The issuance of an intermediate certificate that spoofs certificates for domains of Google or other third-party websites is a significant breach of protocol. It could represent a major threat if one of the individual certificates—or, worse, the intermediate certificate—were ever to fall into the wrong hands.

Not the first time

The incident is only the latest to underscore gaping vulnerabilities in the SSL system. In early 2012, critics called for the ouster of Trustwave as a trusted issuer of SSL certificates after the security firm admitted to minting a credential a customer used to impersonate websites it didn't own. In both cases, the unauthorized certificates were used to help network operators inspect the encrypted traffic flowing over their systems. While the holders of these unauthorized certificates didn't intend to use them to attack Internet users, critics have slammed the practice because it has the potential to harm third-party bystanders.

Even more worrisome are actual security breaches on certificate authorities that on at least one occasion have allowed attackers to create counterfeit credentials used to compromise third-party Web services. That's precisely what happened in 2011, when security researchers spotted a bogus certificate for Google.com that gave attackers the ability to impersonate the website's mail service and other offerings. The counterfeit certificate was minted after attackers pierced the security of Netherlands-based DigiNotar and gained control of its certificate-issuing systems. Within a few days of the discovery, most of the major Web browsers issued updates to block the certificate, but not before some 300,000 people, many located in Iran, had been exposed to the certificate as they accessed Gmail servers.

Taken together, the incidents highlight one of the key shortcomings of the SSL system. Despite its importance to millions of online banks, e-commerce services, and other sites, the entire system can be undermined by a single point of failure. With hundreds of issuers trusted by the typical browser, all it takes is for one of them to be compromised somehow.

Engineers have proposed several ways to improve the integrity of the SSL system. One of them is known as certificate pinning and is already available in Chrome, Microsoft's EMET security software, and other applications. Pinning works by examining the fingerprint of a certificate used by a specific website to make sure it matches the one known to be valid. Browsers that use pinning will reject all other certificates for a given site, even if the credential is signed by a valid certificate authority. Another suggested fix, submitted as a proposed standard to the Internet Engineering Taskforce by researcher Moxie Marlinspike, would work much the same way, except it would work across all browsers and websites. There are several other proposals under consideration, including one from Google called certificate transparency and one developed by engineers from Red Hat.

Promoted Comments

The statement " Browsers that use pinning will reject all other certificates for a given site, even if the credential is signed by a valid certificate authority" might be true with Chrome, but it's not true with EMET. If you pin a certificate in EMET and you're then presented with a different certificate for the site, EMET just pops up a little "toast" warning from the system tray. Nothing prevents you from accessing the site just as you always have.

I ran into this recently when our bank (a major US commercial bank) changed certificates. Several days later, the bookkeeper finally asked why she was getting that warning every time she logs into the bank. In our case, it was just a matter of pinning the new certificate, but if it had been fraud, the protection afforded by EMET would have been inadequate in my opinion.